12 Startups Poised to take on the Latest Cybersecurity Threats

The market is prime for a new class of startups that can decipher tomorrow’s cybersecurity threats.

According to Gartner, by 2020, 60 percent of digital businesses will fall victim to devastating service failures due to their inability to handle the threats present in new technologies. Digital hazards are so pervasive that Gartner reports that the worldwide security software market grew 4.9 percent and totaled $19.9 billion by the end of 2013.

Though dismaying statistics for government officials, the news is catalyzing IT entrepreneurs and venture capitalists to launch startups to meet demand. Research group PrivCo noted companies in the cybersecurity sector jumped by nearly 60 percent in early stage funding from 2012 to 2013, and worldwide, listed investments at $244 million.

In light of the rising tide of cyberattacks, Government Technology interviewed 12 emerging security companies to hear about their strategies and tactics for protecting their customers’ digital assets.

Enterprise-level crowdsourced security testing for Web applications, mobile apps and host-based infrastructure. The company points to its Red Team, made up of security pros spanning six continents and 27 countries, as vital to the success of its security business model.Primary customers: Retail, financial services, oil and gas, and health-care services.Founded: January 2013Founders: Jay Kaplan and Mark Kuhr

What’s the most dangerous threat affecting organizations?
“The most dangerous threats are those that organizations don’t know about. Specifically, we find threats to mobile applications are on the rise. Every day organizations are getting compromised via a variety of attack vectors without ever realizing it.”

What’s the most dangerous type of malware today?
“Malware with an extremely small footprint is difficult to spot and difficult to remediate against. Malware and malware detection solutions will continue to play a cat-and-mouse game for many years to come.”— Jay Kaplan, CEO

What’s the biggest misconception IT professionals have about cybersecurity?
“That existing approaches to security — containerization, centralized data analysis, firewalls and anti-virus — can deal with new threats and especially, can work on new types of smart devices.”

What’s the most dangerous threat affecting organizations?
“The increasing reliance on more and different types of connected devices from phones to cars to thermostats to insulin pumps. These new devices are open to exploitation in ways never seen before and can pose a significant risk if not protected.”— Hugh Brooks, President

Shape says it challenges the traditional “detect and fix” model by adding a foundational layer of security to protect Web applications at the user interface level. Its flagship product, ShapeShifter, is a botwall that disables attacks from malware, botnets and scripts by mimicking the way malware evades anti-virus software, turning websites into moving targets, rendering malware, botnets and scripts unable to interact with them.

Primary customers: Emphasis on Fortune 50 companies with early adopters in financial services, health care and retail.Founded: Stealth launch in 2011, official launch in January 2014Founders: Derek Smith, Justin Call and Sumit Agarwal
What’s the most dangerous threat affecting organizations?
“Automation is the most dangerous threat and is what all attacks ­— from malware, botnets and scripts — have in common. These sophisticated attacks — such as account takeovers, application DDoS, database scraping and fake account creation — use automation to evade even the best security defenses.”

What’s the biggest misconception about cybersecurity?
“There are many big misconceptions, but one of the most pervasive is that ‘fully patched’ applications [software that’s been updated with protection] are secure.”— Shuman Ghosemajumder, VP of Strategy

What’s the most dangerous type of malware today?
“Malware that is targeted to steal a specific set of data from a customer, not compromise an entire system. It’s the most dangerous type of malware today. Because it’s an under-the-radar attack with a smaller scope and customized to the targeted environment, it can be easily underestimated by the IT departments built to defend it. This is a common threat, especially from Chinese and Russian hackers, who are looking to compromise core American businesses with greater frequency.”— Jon Miller, VP of Strategy

What’s the biggest misconception about cybersecurity?
“That the cloud is insecure. It’s the job of software-as-a-service application providers to ensure that their products are as secure as possible. Many SaaS vendors hire the best and the brightest in IT security, and buy the best security products in order to ensure the security of their customers’ data. But they are solely focused on preventing breaches into their infrastructure — things like denial of service attacks, malware outbreaks and widespread data exfiltration events.

There’s another set of security risks that cloud app vendors are less concerned with, risks that involve leakage of sensitive corporate data. When sensitive data stored in SaaS apps is not properly controlled, the result can be an inadvertent or malicious leakage of company data, theft of user credentials, regulatory compliance failure, etc. These types of risks are outside of the control of the SaaS application provider.”— Nat Kausik, CEO

Offering cloud security for data in Google Apps, Salesforce and more, CloudLock bills itself as the world’s only cloud-to-cloud security provider, enabling organizations to enforce regulatory, operational and security compliance easily and effectively. The company extends enterprise security controls to the cloud, responds to next-generation cybersecurity risk within public cloud platforms and increases adoption of SaaS apps.Primary customers: Government agencies include the U.S. Naval Academy, National Defense University and more than 15 other federal departments. Commercial customers include Whirlpool, HBO, Seagate Technology and Pandora.Founded: 2011Founders: Gil Zimmermann, Tsahy Shapsa and Ron Zalkind

What’s the most dangerous threat affecting organizations?
“The exponentially growing threat surface represented by mobile and cloud applications and services. Businesses are self-selecting cloud solutions and outpacing traditional IT and security. This means that there is a very large threat surface that is addressed with legacy mindset and solutions.”

What’s the biggest misconception about cybersecurity?
“That it is an inhibitor. Security is not just for saying no. When used correctly, security enables IT professionals to say yes, and ultimately leads to happier and more productive workforces.”
— Ron Zalkind, Co-Founder and CTO

What’s the most dangerous threat affecting organizations?
“I would say as you look across governments in general, not just the U.S. federal government, but when you go down to states and localities, the biggest problem they have is not understanding that the data they have is valuable. … Even if they think their data isn’t important, they may be a steppingstone to another environment [or target].”

What’s the biggest misconception about cybersecurity?
“You hear the term ‘cyberwar,’ and regardless about how you think about it, it’s something that’s here, it’s not going to change and it’s going to be a continuous cat-and-mouse game for many years and for the foreseeable future. … We have to be diligent 24 by 7.”— Tony Cole, VP and Global Government CTO

What’s the most dangerous type of malware today?
“Password stealers — the low-lying, advanced, persistent threat waiting to capture password information or credit card details. It is inactive for long periods of time while watching network traffic and gathering information. The recently discovered theft of 1.2 billion usernames and passwords [by Russian hackers in August] is a great example. If security teams had a way to share threat information more quickly, these problems would not become such great successes and never make such headlines.”— Greg Martin, CTO

BitSight claims to secure corporate data anywhere it goes ­— from the cloud, to the mobile device and on the Internet. The company describes its approach as “quantified and evidence-based,” using globally placed Internet sensors to detect malicious activity coming out of an entity’s network. Primary customers: Finance, retail, education, utilities, health care, insurance and more. Founded: 2011Founders: Stephen Boyer and Nagarjuna Venna

What’s the biggest misconception about cybersecurity?
“Regularly updating [malware code] definitions in anti-virus and firewall systems will be enough to protect the organization from the changing threat landscape. Organizations need to have an active view of their security performance that tracks change over time and provides metrics that can be understood by business executives as well. This way, cybersecurity becomes a strategic business issue instead of a rote task of checking minimum requirements.”— Stephen Boyer, Founder and CTO

Confer protects servers, laptops, mobile devices and other endpoint users from sophisticated attackers through cloud-based behavioral tracking. The company’s advanced detection and incident response uses a single sensor and gives administrators detailed information on malware — how it got there, when it got there, what it did, etc.Primary customers: Both enterprise and public-sector institutions with deployments ranging from 100-person companies to Fortune 50 companies.Founded: 2013Founders: Jeff Kraemer, Paul Morville and Mark Quinlivan

What’s the most dangerous type of malware today?
“In the past, we worried a lot about destructive attacks such as fast-moving worms, but we don’t see these as much lately and they are easy to detect. We worry a lot more about custom-developed, targeted attacks that are remote-controlled. They fly past anti-virus protection and are very hard to detect from the network. Meanwhile, they provide unfettered access to any information on that machine and can be a leverage point for a broader attack.”— Paul Morville, VP of Products

Veracode provides a cloud-based platform for application risk assessment and management. The company delivers a widely used cloud-based service for securing a variety of enterprise applications, including Web, mobile, legacy and third-party; identifying application-level threats before they can be exploited by cybercriminals.Primary customers: Global enterprise companies, including three of the top four banks in the Fortune 100 and more than 25 of the world’s top 100 brands.Founded: 2006Founders: Chris Wysopal and Christien Rioux

What’s the biggest misconception about cybersecurity?
“The biggest misconception is around the need to block attacks from threat actors such as organized crime and nation states, and that protection alone can secure an enterprise. This has created an over-dependence on firewalls and endpoint security, as well as other tool-based security approaches. The reality is, more than 50 percent of attacks target the vulnerabilities in the application layer.”— Chris Wysopal, Co-Founder and CTO

Trustwave has three main areas of expertise: compliance and risk management, managed security services and threat intelligence research and services. Its 50-plus patents legitimize the company’s security on demand services, offered through its cloud-based portal platform, Trustkeeper.Primary customers: Small businesses to Fortune 500 companies across industries, including government, with services touching 2 million customers in more than 96 countries.Founded: 1995Founders: Robert McCullen and Andrew Bokor
What’s the most dangerous threat affecting organizations?
“Unfortunately there is no one single threat that affects all organizations. Every organization has its own unique threat profile based on its industry, business model, adoption of technology (for instance, an e-commerce presence) and internal security awareness. Some industries are more targeted than others, like retail and hospitality. According to Trustwave’s Global Security Report, retail was once again the top industry compromised, making up 35 percent of the attacks investigated in 2013. Food and beverage ranked second at 18 percent and hospitality ranked third at 11 percent.”— Karl Sigler, Threat Intelligence Manager Editor’s Note: Trustwave was named in multiple lawsuits by financial institutions related to the company’s relationship with Target during its massive data breach discovered late last year. While the claims point fingers at Trustwave for failing to spot the retailer’s security vulnerabilities, CEO Robert McCullen called the claims “without merit” in an open letter to customers and business partners. “... Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target’s network, nor did Trustwave process cardholder data for Target,” he said.Further, the suits were dismissed April 2014 when the two banks involved, Trustmark National Bank and Green Bank, filed to dismiss them.